Place the certificate chain file somewhere haproxy can access it and append the following to your bind config line in the frontends where you want to use client side certificates: ca-file <path to certificate chain> verify required. If you want to also accept visitors without an ssl certificate change verify required to verify optional. You might want this if you handle the certificates in your application.

Below is an example which sends users to a different backend based on if there is a client side certificate. It also sends users to a special error page if there are validation errors with their client side certificate.

The {+Q} means that the data is quoted as a string. Otherwise it would be binary or boolean.

In your backend the headers look like this:

X-SSL: 1
# 1 if client used a secure connection, 0 if not.
X-SSL-Client-Verify: 0
# The status code of the SSL client connection
X-SSL-Client-SHA1: "a01b894d12579d88efce97d27107f380b05f5968"
# The SHA 1 hash of the client certificate.
X-SSL-Client-DN: "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/CN=exampleUserCertificate/emailAddress=example@example.org"
# The full Distinguished Name of the client certificate.
X-SSL-Client-CN: "exampleUserCertificate"
# The full Common Name of the client certificate.
X-SSL-Issuer: "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/CN=Sparkling Intermediate Client SSL CA 2"
# The full Distinguished Name of the issuing certificate.
X-SSL-Client-Not-Before: "120101100030Z"
# Date from on which certificate is valid in format: YYMMDDhhmmss
X-SSL-Client-Not-After: "160101100030Z"
# Date from on which certificate is not valid anymore in format: YYMMDDhhmmss